Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Could you help me use rex to extract end value extensions from field values?

arrangineni
Path Finder
‎09-12-2018 08:48 AM

I have field values with the below formats and I need to extract the end value extensions like (cjs, js ..,etc) from them and store them in separate fields. Can anyone help me with this? Thanks

sample=/abc/test/ipts/jquery-1.3.1-vsdoc.cjs 
sample=/abc/test/ipts/jquery-1.3.js
0 Karma
Reply

ddrillic
Ultra Champion
‎09-13-2018 10:00 AM

A related recent thread at How do I search to exclude logs with extensions?

0 Karma
Reply

osakachan
Communicator
‎09-13-2018 12:58 AM

Hello,

try this one:

".*\.(?.*)$"

Tested with:
| makeresults |eval lol="/abc/test/ipts/jquery-1.3.1-vsdoc.cjs " | rex field=lol ".*\.(?<foo>.*)$" | table lol,foo

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-13-2018 12:28 AM

Hi arrangineni,
try something like this:

\.(?<extension>.*)$

if you already extracted the field sample, you could also use the command

| rex field=sample "\.(?<extension>.*)$"

You can test it at https://regex101.com/r/L5vehV/1

Bye.
Giuseppe

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎09-12-2018 09:29 AM

This is probably a bit greedy, but it works in regex101.com:

.*\.(?<extension>[a-z]+)
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎09-12-2018 09:15 AM

So do you want the js and cjs values from the sample field stored in a separate field (like one named ext) at search time?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...